It's not uncommon for organisations to find holes in their cyber incident response plans at the worst possible time − immediately after attackers strike.
Despite their best intentions, most organisations tend to overlook the 'what if' scenarios, focusing their incident response planning on simple, best practice responses. Sadly, most attacks don't go exactly as expected in their planning.
For example, in a recent cyber security attack, an organisation's e-mail exchange service was compromised and it could no longer send e-mails. This entirely derailed its formal incident response protocols, which involved e-mailing all stakeholders.
There was panic, HR had to compile lists of the necessary role players' mobile numbers, and they all had to be messaged or called. This kind of chaos delays incident response and recovery at a time when every minute counts.
Another common oversight is to make just one person responsible for certain actions without considering what should be done if they aren't available, or if their account has been compromised. This is particularly prevalent in smaller organisations reliant on just a handful of technical staff members.
If companies don't plan for what-if scenarios or for situations where things don't go exactly as planned, panic starts creeping in, people start making snap decisions or rash decisions, and that's when things can go horribly wrong.
How to plan for the unexpected
It is important to run different scenarios in a controlled environment, so that when people need to make a snap decision under pressure, at least they've gone through the process before. Much like in any sport, the more you practise, the 'luckier' you get, or the better you are at responding.
Unfortunately, there are an infinite number of possible scenarios, and organisations cannot be expected to prepare for all of them.
It is possible to model common threats, industry-specific threats and the organisation's own threat exposure to cover the most likely attack methods.
However, it is possible to model common threats, industry-specific threats and the organisation's own threat exposure to cover the most likely attack methods. Then, during regular tabletop exercises, throw in random 'what if' scenarios to challenge people to be more agile in their responses. Ask 'what if a particular person isn't available?' or 'what if a key system goes down?' This makes the team think about plans B, C and beyond.
New tools are now becoming available to help businesses to come up with scenarios that might occur. GitHub offers a number of AI tools to generate unusual attack scenarios, which can help companies to flesh out their response plans. A new tool set to come to market soon is TryHackMe's cyber incident tabletop exercise simulator, which creates attack scenarios on the fly.
Businesses must also consider how South Africa-specific challenges like load-shedding would impact the response options and recovery times.
Testing and validation
Testing is crucial. It's one thing to have a response plan filed and approved, but it's quite another to test it and see if it actually works the way it's supposed to.
Regular tabletop testing and attack simulations are necessary to validate security controls and assess incident response plans. The more these exercises are carried out, the more robust the organisation's security becomes.
Proper preparation should also include attending to basic security hygiene and instilling a cyber security culture throughout the organisation.
Too many companies are vulnerable due to neglected patch management. Security teams may be so focused on mitigating new risks, that they lose track of the basics. Departments within the company might launch new systems or services without notifying IT, and then certain services might be vulnerable or exposed to threat actors without the IT or security even being aware of it.
Another risk is relying on third-party libraries or third-party tooling, because if they make a change, it may introduce a vulnerability into the environment.
It's crucial to know exactly what's in the company’s estate and constantly monitor its threat exposure − particularly when any business or infrastructure changes are made, or when the organisation is moving to the cloud.
It's also important to prepare for the inevitable mistakes staff members might make. On top of raising awareness of cyber risks, companies need to prepare staff for what to do in the event they accidentally click on a phishing link.
Staff should be trained not to hide their mistake in shame, but to report it immediately. They also need to have clear instructions about what the required next steps are.
By assuming it will be attacked and taking steps to mitigate and counter as many scenarios as possible, the organisation can reduce panic and chaos during a breach and recover much faster.
Share